Here are some tcpdumps collected on the host. That was a great idea! I can see that, from an outside host, ping packets enter on one of the SFP+ ports, pass to the bond1 interface, and then do not get sent onward to the tap0 interface. In contrast, when the ping is sent from an outside host to the host, the packets go from the SFP+ port to the bond1 interface to the br1 interface.
$ sudo tcpdump -nv -i any icmp # pinging VM from another host on network: not working
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:09:18.338181 ens4f1np1 P IP (tos 0x0, ttl 63, id 18488, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.233 > 192.168.1.17: ICMP echo request, id 1006, seq 1, length 64
00:09:18.338181 bond1 P IP (tos 0x0, ttl 63, id 18488, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.233 > 192.168.1.17: ICMP echo request, id 1006, seq 1, length 64
^C
2 packets captured
5 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -nv -i any icmp # pinging VM from the host: OK
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:10:10.165886 br1 Out IP (tos 0x0, ttl 64, id 19344, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.15 > 192.168.1.17: ICMP echo request, id 12, seq 1, length 64
00:10:10.165892 tap0 Out IP (tos 0x0, ttl 64, id 19344, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.15 > 192.168.1.17: ICMP echo request, id 12, seq 1, length 64
00:10:10.166205 tap0 P IP (tos 0x0, ttl 64, id 64865, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.17 > 192.168.1.15: ICMP echo reply, id 12, seq 1, length 64
00:10:10.166205 br1 In IP (tos 0x0, ttl 64, id 64865, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.17 > 192.168.1.15: ICMP echo reply, id 12, seq 1, length 64
^C
4 packets captured
7 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -nv -i any icmp # pinging host from another host on network: OK
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:12:27.613923 ens4f1np1 P IP (tos 0x0, ttl 63, id 20161, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.233 > 192.168.1.15: ICMP echo request, id 1006, seq 1, length 64
00:12:27.613923 bond1 P IP (tos 0x0, ttl 63, id 20161, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.233 > 192.168.1.15: ICMP echo request, id 1006, seq 1, length 64
00:12:27.613923 br1 In IP (tos 0x0, ttl 63, id 20161, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.233 > 192.168.1.15: ICMP echo request, id 1006, seq 1, length 64
00:12:27.613967 br1 Out IP (tos 0x0, ttl 64, id 33892, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.15 > 192.168.1.233: ICMP echo reply, id 1006, seq 1, length 64
00:12:27.613969 bond1 Out IP (tos 0x0, ttl 64, id 33892, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.15 > 192.168.1.233: ICMP echo reply, id 1006, seq 1, length 64
00:12:27.613975 ens4f0np0 Out IP (tos 0x0, ttl 64, id 33892, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.15 > 192.168.1.233: ICMP echo reply, id 1006, seq 1, length 64
^C
6 packets captured
9 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -nv -i any icmp # pinging another host on network from VM: not working
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:41:25.446761 tap0 P IP (tos 0x0, ttl 64, id 39047, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.17 > 192.168.1.233: ICMP echo request, id 21201, seq 1, length 64
^C
1 packet captured
4 packets received by filter
0 packets dropped by kernel
The tap0 interface is showing connected to br1. The 7a:50
MAC address belongs to tap0; not sure why it’s listed twice, but the bond1 MAC address is also listed twice. The aa:fc
MAC address is set by Firecracker for the VM’s eth0.
$ brctl show br1
bridge name bridge id STP enabled interfaces
br1 8000.4e7f990e7a72 no bond1
tap0
$ brctl showmacs br1
port no mac addr is local? ageing timer
[trimmed...]
1 2a:81:c6:d2:7b:73 yes 0.00
1 2a:81:c6:d2:7b:73 yes 0.00
2 7a:50:27:f0:64:35 yes 0.00
2 7a:50:27:f0:64:35 yes 0.00
2 aa:fc:00:00:00:01 no 4.38
I’m not using macvlans or macvtaps, as far as I know. The tap0 interface was created with ip tuntap add tap0 mode tap user john
. From my understanding of the Firecracker docs, I’m not using vhostnet.
For comparison, I booted a spare PC with a single Ethernet interface in a live environment, configured it to have a bridge, added a tap0 interface to it, and booted a Firecracker VM (using a different aa:fc
MAC) on it. That VM sees the network OK and is accessible from outside the machine. I haven’t spotted anything different yet, other than not having a bonded interface.